Frequently asked questions: The EU-US agreement on the transfer of Passenger Name Record (PNR) data

In 2011 the EU and the US agreed on a new PNR Agreement regulating the transfer of Passenger Name Record (PNR) by air carriers to the US.

This agreement entered into force on 1 July 2012, replacing the previous one from 2007. It provides for a first joint review one year after its entry into force and regularly thereafter.

What is PNR data?

PNR data is information provided by passengers, and collected by air carriers for their own commercial purposes. It has been used manually for almost 60 years by customs and law enforcement authorities around the world. Technological developments have made a more systematic use for law enforcement purposes possible, which, in turn, has highlighted the need for rules on how the data is collected, used and stored.

PNR data is stored in airlines' reservation and departure control databases. It contains several different types of information, such as travel dates, travel itineraries, ticket information, contact details, the travel agent with which the flight was booked, the means of payment used, seat numbers and baggage information.

What purposes/offences are covered by the Agreement?

The agreement contains a detailed description of what purposes PNR will be used for. These are the prevention, detection, investigation and prosecution of terrorism and certain transnational crimes. Transnational crimes are defined as crimes punishable by 3 years of imprisonment or more under US law. This excludes minor crimes while allowing PNR to be used to tackle serious crimes such as drug trafficking, human trafficking and terrorism. PNR can also be used on a case-by-case basis for the protection of vital interests of passengers, for example to protect against communicable diseases, or if ordered by a US court.

The agreement further clarifies how PNR is relevant when passengers travel to or from the US. In particular, the agreement clarifies that PNR may, in accordance with its purpose and scope, be processed to identify persons who may require further examination. This ensures that authorities are adequately prepared for the arrival and departure of such persons. This process therefore provides very important advantages in terms of facilitating legitimate travel, by contributing towards faster border controls for persons who may not require further examination.

How long can PNR data be retained?

The Agreement contains provisions stating that data can only be stored for a certain period of time, and it introduces an important new element: depersonalisation of the data just 6 months after it is sent to the US. The Agreement specifies that data can be retained for a total of 15 years.

However, while the US are allowed to use PNR data for terrorist-related offences for 15 years, it is only allowed to use PNR data in order to prevent and fight transnational crime for 10 years, which is 5 years less than under the previous PNR Agreement from 2007.

Of the total of 15 years, after the first 5 years these data will be moved to a dormant database with additional controls and even stricter requirements for US officials to access them, including the above-mentioned depersonalisation of the data after just 6 months of retention.

How are PNR data transmitted?

The Agreement has clear rules on how PNR data should be transferred from air carriers' databases to the US, improving considerably the PNR Agreement from 2007. It recognises the so-called "push method" as, in principle, the only mode of transfer of PNR data. This means that air carriers send PNR data to the US and that US authorities do not access the air carriers' reservation systems to extract data themselves.

How much data are transferred?

PNR data for passengers on all flights from and to the US transferred from air carriers' databases to the US Department of Homeland Security. The Agreement allows for a maximum of 19 data types to be transferred.

How are personal data protected?

The Agreement includes clear and robust provisions on passengers' rights to privacy.

First of all it introduces an important new element: just 6 months after PNR data is sent to the US, the data are depersonalised. In a nutshell, this means that elements of information contained in the PNR allowing identifying a passenger such as a person's name and contact information are masked out and made inaccessible to US officials.

To make sure personal data are fully protected, the Agreement also provides that passengers can obtain access to their PNR, can request the correction of their data, including their erasure and deletion, and can seek administrative and judicial redress as provided for under US law. Sensitive data (such as health information or the type of meal requested by the passenger) are deleted after 30 days.

Furthermore, it is not possible to take decisions adversely affecting passengers based only on automated processing of PNR data. The aim of this is to prevent illegal profiling.

Stricter rules apply to prevent loss or unauthorised disclosure of personal data. Independent oversight of the processing of PNR data is being done by entities such as the Chief Privacy Officer, the Department of Homeland Security Office of Inspector General, the US Government Accountability Office and the US Congress.

What does the redress mechanism look like?

All passengers should be able to seek administrative and judicial redress as provided for under US law. The Agreement lays down clearly the options available under the US law to seek administrative and judicial redress. For example, any individual could petition for judicial review under the Freedom of Information Act or any individual can resolve travel-related enquiries under the Department of Homeland Security Traveller Redress Inquiry Program (DHS TRIP).

Can the US transfer PNR data to third countries?

The Agreement contains strict rules on sharing of PNR data by the Department of Homeland Security with other US authorities and with third countries. Sharing is limited to third countries offering a high level of data protection. PNR data may never be shared in bulk, only on a case-by-case basis, and only for the purposes of fighting transnational crime and terrorism.

What is the duration of the current Agreement?

The Agreement has a 7 years duration and is automatically renewable, to provide legal certainty in the long term. It is possible for both the EU and the US to terminate the agreement at any point in time. On the EU side, this means that the Commission has to submit a proposal to terminate the Agreement, which the Council has to adopt after the European Parliament has given its consent.